Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - AutoRun disabling patch released InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AutoRun disabling patch released

Published: 2009-02-25
Last Updated: 2009-02-26 20:46:47 UTC
by donald smith (Version: 2)
1 comment(s)

Microsoft released a patch to correct the "disable autorun registry key" enforcement.
http://support.microsoft.com/kb/967715
Updates are offered for the following OSes:
* Microsoft Windows 2000
* Windows XP Service Pack 2
* Windows XP Service Pack 3
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2

The US Cert released an announcement stating that "Microsoft Windows does not disable AutoRun properly" back on January 20th.
http://www.us-cert.gov/cas/techalerts/TA09-020A.html

"Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability."

The Conficker worm spreads via autorun and we have run several diaries about autorun issues.
Conficker -> http://isc.sans.org/diary.html?storyid=5695
PictureFrame malware -> http://isc.sans.org/diary.html?storyid=3817
PictureFrame Malware2 -> http://isc.sans.org/diary.html?storyid=3807

UPDATE: A reader (Thanks Michael) wrote in saying that he was using xp home edition and was unable to follow the directions in microsofts KB article about using gpedit.msc to create a group policy. He is correct. XP home can't run gpedit.msc. XP home users need to follow the "How to selectively disable specific autorun features" steps. I recommend you modify the NoDriveTypeAutoRun value to 0xFF. That should disable autorun on ALL drives.

Keywords: autorun patch
1 comment(s)
Diary Archives